The Logging Statement | The Concise Guide to DNS and BIND

Syntax

 logging {   [ channel channel_name {     ( file path_name        [ versions ( number | unlimited ) ]        [ size size_spec ]      | syslog ( kern | user | mail | daemon | auth | syslog | lpr |                 news | uucp | cron | authpriv | ftp |                 local0 | local1 | local2 | local3 |                 local4 | local5 | local6 | local7 )      | null );     [ severity ( critical | error | warning | notice |                  info  | debug [ level ] | dynamic ); ]     [ print-category yes_or_no; ]     [ print-severity yes_or_no; ]     [ print-time yes_or_no; ]   }; ]   [ category category_name {     channel_name; [ channel_name; ... ]   }; ]   ... };

Definition and Usage

The logging statement configures a wide variety of logging options for the nameserver. Its channel phrase associates output methods, format options and severity levels with a name that can then be used with the category phrase to select how various classes of messages are logged.

Only one logging statement is used to define as many channels and categories as are wanted. If there are multiple logging statements in a configuration, the first defined determines the logging, and warnings are issued for the others. If there is no logging statement, the logging configuration will be

 logging {     category default { default_syslog; default_debug; };     category panic { default_syslog; default_stderr; };     category packet { default_debug; };     category eventlib { default_debug; }; };

The logging configuration is established as soon as the logging statement is parsed. If you want to redirect messages about processing of the entire configuration file, the logging statement must appear first. Even if you do not redirect configuration file parsing messages, we recommend always putting the logging statement first so that this rule need not be consciously recalled if you ever do need or want the parser's messages relocated.

The Channel Phrase

All log output goes to one or more channels; you can make as many of them as you want.

Every channel definition must include a clause that says whether messages selected for the channel go to a file, to a particular syslog facility, or are discarded. It can optionally also limit the message severity level that will be accepted by the channel (default is info), and whether to include a time stamp generated by named, the category name, or severity level. The default is not to include any of those three.

The word null as the destination option for the channel will cause all messages sent to it to be discarded; other options for the channel are meaningless.

The file clause can include limitations both on how large the file is allowed to become, and how many versions of the file will be saved each time the file is opened.

The size option for files is simply a hard ceiling on log growth. If the file ever exceeds the size, then named will just not write anything more to it until the file is reopened; exceeding the size does not automatically trigger a reopen. The default behavior is to not limit the size of the file.

If you use the version logfile option, then named will retain that many backup versions of the file by renaming them when opening. For example, if you choose to keep 3 old versions of the file lamers.log then just before it is opened lamers.log.1 is renamed to lamers.log.2, lamers.log.0 is renamed to lamers.log.1, and lamers.log is renamed to lamers.log.0. No rolled versions are kept by default; any existing log file is simply appended. The unlimited keyword is synonymous with 99 in current BIND releases. Example usage of size and versions options:

 channel an_example_level {     file "lamers.log" versions 3 size 20m;     print-time yes;     print-category yes; };

The argument for the syslog clause is a syslog facility as described in the syslog(3) manual page. How syslogd will handle messages sent to this facility is described in the syslog.conf(5) manual page. If you have a system which uses a very old version of syslog that only uses two arguments to the openlog()() function, then this clause is silently ignored.

The severity clause works like syslog's priorities, except that they can also be used if you are writing straight to a file rather than using syslog. Messages which are not at least of the severity level given will not be selected for the channel; messages of higher severity levels will be accepted.

If you are using syslog, then the syslog.conf priorities will also determine what eventually passes through. For example, defining a channel facility and severity as daemon and debug but only logging daemon.warning via syslog.conf will cause messages of severity info and notice to be dropped. If the situation were reversed, with named writing messages of only warning or higher, then syslogd would print all messages it received from the channel.

The server can supply extensive debugging information when it is in debugging mode. If the server's global debug level is greater than zero, then debugging mode will be active. The global debug level is set either by starting the named server with the -d flag followed by a positive integer, or by sending the running server the SIGUSR1 signal (for example, by using ndc trace). The global debug level can be set to zero, and debugging mode turned off, by sending the server the SIGUSR2 signal (as with ndc notrace). All debugging messages in the server have a debug level, and higher debug levels give more detailed output. Channels that specify a specific debug severity, for example

 channel specific_debug_level {     file "foo";     severity debug 3; };

will get debugging output of level 3 or less any time the server is in debugging mode, regardless of the global debugging level. Channels with dynamic severity use the server's global level to determine what messages to print.

If print-time has been turned on, then the date and time will be logged. print-time may be specified for a syslog channel, but is usually pointless since syslog also prints the date and time. If print-category is requested, then the category of the message will be logged as well. Finally, if print-severity is on, then the severity level of the message will be logged. The print-options may be used in any combination, and will always be printed in the following order: time, category, severity. Here is an example where all three print-options are on:

 28-Apr-1997 15:05:32.863 default: notice: Ready to answer queries.

There are four predefined channels that are used for named's default logging as follows. How they are used is described in the next section, "The Category Phrase."

 channel default_syslog {     syslog daemon;       # send to syslog's daemon facility     severity info;       # only send priority info and higher }; channel default_debug {     file "named.run";    # write to named.run in the working directory                          # Note: stderr is used instead of "named.run"                          # if the server is started with the -f option.     severity dynamic;    # log at the server's current debug level }; channel default_stderr { # writes to stderr     file "<stderr>";     # this is illustrative only; there's currently                          # no way of specifying an internal file                          # descriptor in the configuration language.     severity info;       # only send priority info and higher }; channel null {     null;                # toss anything sent to this channel };

Once a channel is defined, it cannot be redefined. Thus you cannot alter the built-in channels directly, but you can modify the default logging by pointing categories at channels you have defined.

The Category Phrase

There are many categories, so you can send the logs you want to see wherever you want, without seeing logs you don't want. If you don't specify a list of channels for a category, then log messages in that category will be sent to the default category instead. If you don't specify a default category, the following "default default" is used:

 category default { default_syslog; default_debug; };

As an example, let's say you want to log security events to a file, but you also want keep the default logging behavior. You'd specify the following:

 channel my_security_channel {     file "my_security_file";     severity info; }; category security { my_security_channel;                     default_syslog; default_debug; };

To discard all messages in a category, specify the null channel:

 category lame-servers { null; }; category cname { null; };

The following categories are available:

Default	The catch-all. Many things still aren't classified into categories, and they all end up here. Also, if you don't specify any channels for a category, the default category is used instead. If you do not define the default category, the following definition is used:
	category default { default_syslog; default_debug; };
config	High-level configuration file processing.
Parser	Low-level configuration file processing.
Queries	A short log message is generated for every query the server receives.
lame-servers	Messages like "Lame server on …"
statistics	Statistics.
Panic	If the server has to shut itself down due to an internal problem, it will log the problem in this category as well as in the problem's native category. If you do not define the panic category, the following definition is used:
	category panic { default_syslog; default_stderr; }
update	Dynamic updates.
Ncache	Negative caching.
xfer-in	Zone transfers the server is receiving.
xfer-out	Zone transfers the server is sending.
Db	All database operations.
Eventlib	Debugging info from the event system. Only one channel may be specified for this category, and it must be a file channel. If you do not define the eventlib category, the following definition is used:
	category eventlib { default_debug; };
packet	Dumps of packets received and sent. Only one channel may be specified for this category, and it must be a file channel. If you do not define the packet category, the following definition is used:
	category packet { default_debug; };
notify	The NOTIFY protocol.
Cname	Messages like "… points to a CNAME."
Security	Approved/unapproved requests.
Os	Operating system problems.
Insist	Internal consistency check failures.
Maintenance	Periodic maintenance events.
Load	Zone loading messages.
response-checks	Messages arising from response checking, such as "Malformed response …," "wrong ans. name …," "unrelated additional info …," "invalid RR type …," and "bad referral …."